A pretty annoying malware.

I share this laptop with my siblings. Of course we all do not have the same consciousness with regards to malwares, virus, etc. TO my surprise, after my brother used my laptop, i wasn’t able to use the Windows XP’s command prompt again… or at least the cmd.exe prompt. Whenever I would open a command prompt box, a shutdown window will appear, then my laptop will shutdown. It reminds me of an old worm. Running notepad was ok though. So I checked out of my theory was right.

I fired up noted, typed in shutdown -a, then saved the file as test.bat. Sure enough, after double-clicking the .bat file, the shutdown message will appear. But because of the shutdown -a command in the batch file, it will abort the shutdown process.

Checking the Task Manager, i could see a bar311.exe as one of the running processes, an immediate trail of the annoying malware.

Next thing was to check for hidden files. The folder options must be something like this:


But I saw mine as:


When I change the settings, it always reverts back to that setting. Something is really fishy.

I had to do something.

I started by killing the bar311.exe process using the Task Bar.

Then enable the Folder Options settings using Regedit


Still using Regedit, search for all traces of the string bar311.exe.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“Userinit”=”userinit.exe,bar311.exe” —> remove “, bar311.exe”

Looking at the registry key

[HKEY_CURRENT_USER\Software\Microsoft\Command Processor]

reveals an interesting find. pc-off.bat. Must be the source of the shutdown command.

[HKEY_CURRENT_USER\Software\Microsoft\Command Processor]

remove “c:\Windows\pc-off.bat” or delete the autorun key.

Must also be where bar311.exe is located. Need to create another batch file.

Opening notepad, type the following:

@echo off
del /a /f c:\windows\bar311.exe
del /a /f c:\windows\pc-off.bat

save the file as remover.bat on the desktop then double-click on its icon to run.




Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: